SOK: A Taxonomy of Attack Vectors and Defense Strategies for Agentic Supply Chain Runtime

TL;DR

This paper categorizes attack vectors and defense strategies for agentic LLM-based systems, emphasizing runtime vulnerabilities, supply chain threats, and proposing a zero-trust architecture to enhance security.

Contribution

It introduces a unified framework for understanding runtime threats in agentic systems and proposes a zero-trust architecture to mitigate these risks.

Findings

Identifies data and tool supply chain attack phases.

Describes the Viral Agent Loop as a new threat vector.

Proposes cryptographic provenance for secure tool invocation.

Abstract

Agentic systems based on large language models (LLMs) operate not merely as text generators but as autonomous entities that dynamically retrieve information and invoke tools. This execution model shifts the attack surface from traditional build-time artifacts to inference-time dependencies, exposing agents to manipulation through untrusted data and probabilistic capability resolution. While prior work has examined model-level vulnerabilities, security risks arising from the complex, cyclic runtime behavior of agents remain fragmented. This paper systematizes existing research into a unified runtime framework. We categorize threats into data supply chain attacks (distinguishing between transient context injection and persistent memory poisoning) and tool supply chain attacks (spanning discovery, implementation, and invocation phases). Crucially, we identify the emergence of the Viral Agent Loop, where agents effectively become vectors for self-propagating generative worms that require no code vulnerabilities to spread. We argue for a transition to a Zero-Trust Runtime Architecture, where context is treated as untrusted control flow, and tool execution is bounded by cryptographic provenance rather than semantic likelihood.